Web services may be protected from intrusions (e.g., denial-of-service attacks, malware, etc.) using intrusion detection systems (IDS). Intrusion detection systems typically operate on individual Internet Protocol (IP) data packets, and are generally network-based (NIDS) or host-based (HIDS). A NIDS scans network packets at the router-level, and logs information on suspicious packets into a log file. A HIDS monitors a single computer system's state, memory, and packets received at its network interface for violations of that host's security policies. IDS systems' executions are commonly categorized as Behavior-Based or Anomaly-Based. IDS implementations and products may be designed anywhere from software-only to completely embedded hardware/appliance boxes. Recent advances in IDS have focused on Application level IDS, where the IDS rules are neither at the host nor at the network, instead the IDS rules are coded along with the Application. The benefits of Application level IDS includes the fact that an Application developer can usually tell what is/are the right usage, and likewise what is/are the wrong usage of the Application, and hence the latter (i.e., the wrong usage) are best captured at the Application programming level.